Hello community, here is the log from the commit of package rdesktop for openSUSE:Factory checked in at 2019-02-01 11:45:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rdesktop (Old) and /work/SRC/openSUSE:Factory/.rdesktop.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rdesktop" Fri Feb 1 11:45:34 2019 rev:36 rq:669874 version:1.8.4 Changes: -------- --- /work/SRC/openSUSE:Factory/rdesktop/rdesktop.changes 2018-02-15 13:26:48.013155966 +0100 +++ /work/SRC/openSUSE:Factory/.rdesktop.new.28833/rdesktop.changes 2019-02-01 11:45:35.644543324 +0100 @@ -1,0 +2,34 @@ +Mon Jan 28 20:29:52 UTC 2019 - Markus Beth <[email protected]> + +- update to 1.8.4 + * Add rdp_protocol_error function that is used in several fixes + * Refactor of process_bitmap_updates + * Fix possible integer overflow in s_check_rem() on 32bit arch + * Fix memory corruption in process_bitmap_data - CVE-2018-8794 + * Fix remote code execution in process_bitmap_data - CVE-2018-8795 + * Fix remote code execution in process_plane - CVE-2018-8797 + * Fix Denial of Service in mcs_recv_connect_response - CVE-2018-20175 + * Fix Denial of Service in mcs_parse_domain_params - CVE-2018-20175 + * Fix Denial of Service in sec_parse_crypt_info - CVE-2018-20176 + * Fix Denial of Service in sec_recv - CVE-2018-20176 + * Fix minor information leak in rdpdr_process - CVE-2018-8791 + * Fix Denial of Service in cssp_read_tsrequest - CVE-2018-8792 + * Fix remote code execution in cssp_read_tsrequest - CVE-2018-8793 + * Fix Denial of Service in process_bitmap_data - CVE-2018-8796 + * Fix minor information leak in rdpsnd_process_ping - CVE-2018-8798 + * Fix Denial of Service in process_secondary_order - CVE-2018-8799 + * Fix remote code execution in in ui_clip_handle_data - CVE-2018-8800 + * Fix major information leak in ui_clip_handle_data - CVE-2018-20174 + * Fix memory corruption in rdp_in_unistr - CVE-2018-20177 + * Fix Denial of Service in process_demand_active - CVE-2018-20178 + * Fix remote code execution in lspci_process - CVE-2018-20179 + * Fix remote code execution in rdpsnddbg_process - CVE-2018-20180 + * Fix remote code execution in seamless_process - CVE-2018-20181 + * Fix remote code execution in seamless_process_line - CVE-2018-20182 + * Fix building against OpenSSL 1.1 + +- remove obsolete patches + * rdesktop-Fix-OpenSSL-1.1-compability-issues.patch + * rdesktop-Fix-crash-in-rdssl_cert_to_rkey.patch + +------------------------------------------------------------------- Old: ---- rdesktop-1.8.3.tar.gz rdesktop-Fix-OpenSSL-1.1-compability-issues.patch rdesktop-Fix-crash-in-rdssl_cert_to_rkey.patch New: ---- rdesktop-1.8.4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rdesktop.spec ++++++ --- /var/tmp/diff_new_pack.3jsOpX/_old 2019-02-01 11:45:36.164542790 +0100 +++ /var/tmp/diff_new_pack.3jsOpX/_new 2019-02-01 11:45:36.172542782 +0100 @@ -1,7 +1,7 @@ # # spec file for package rdesktop # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,24 +12,20 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: rdesktop -Version: 1.8.3 +Version: 1.8.4 Release: 0 Summary: A Remote Desktop Protocol client -License: GPL-3.0+ +License: GPL-3.0-or-later Group: Productivity/Networking/Other Url: http://www.rdesktop.org/ -Source: http://prdownloads.sourceforge.net/rdesktop/%{name}-%{version}.tar.gz +Source: https://github.com/rdesktop/rdesktop/releases/download/v%{version}/%{name}-%{version}.tar.gz ## FIX-openSUSE: remove "Don't depend on pkg-config" Patch0: rdesktop-fix_pkgconfig_check.patch -# PATCH-FIX-UPSTREAM rdesktop-Fix-OpenSSL-1.1-compability-issues.patch -Patch1: rdesktop-Fix-OpenSSL-1.1-compability-issues.patch -# PATCH-FIX-UPSTREAM rdesktop-Fix-crash-in-rdssl_cert_to_rkey.patch -Patch2: rdesktop-Fix-crash-in-rdssl_cert_to_rkey.patch # PATCH-FIX-OPENSUSE rdesktop-Fix-keymap-script.patch Patch3: rdesktop-Fix-keymap-script.patch Patch4: rdesktop-Fix-key-caching.patch @@ -48,17 +44,16 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build %description -rdesktop is an open source client for Windows NT Terminal Server and -Windows 2000 Terminal Services, capable of natively speaking Remote -Desktop Protocol (RDP) in order to present the user's NT desktop. -Unlike Citrix ICA, no server extensions are required. +rdesktop is an open source UNIX client for connecting to Windows +Remote Desktop Services, capable of natively speaking Remote Desktop +Protocol (RDP) in order to present the user's Windows desktop. +rdesktop is known to work with Windows server versions ranging from +NT 4 terminal server to Windows Server 2012 R2. %prep %setup -q %patch0 %if 0%{?suse_version} > 1110 -%patch1 -p1 -%patch2 -p1 %patch4 -p1 %endif %patch3 -p1 ++++++ rdesktop-1.8.3.tar.gz -> rdesktop-1.8.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/asn.c new/rdesktop-1.8.4/asn.c --- old/rdesktop-1.8.3/asn.c 2012-11-16 23:17:36.000000000 +0100 +++ new/rdesktop-1.8.4/asn.c 2019-01-02 15:03:25.000000000 +0100 @@ -22,7 +22,7 @@ /* Parse an ASN.1 BER header */ RD_BOOL -ber_parse_header(STREAM s, int tagval, int *length) +ber_parse_header(STREAM s, int tagval, uint32 *length) { int tag, len; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/bitmap.c new/rdesktop-1.8.4/bitmap.c --- old/rdesktop-1.8.3/bitmap.c 2011-04-13 13:13:04.000000000 +0200 +++ new/rdesktop-1.8.4/bitmap.c 2019-01-02 15:03:25.000000000 +0100 @@ -785,7 +785,7 @@ replen = revcode; collen = 0; } - while (collen > 0) + while (indexw < width && collen > 0) { color = CVAL(in); *out = color; @@ -793,7 +793,7 @@ indexw++; collen--; } - while (replen > 0) + while (indexw < width && replen > 0) { *out = color; out += 4; @@ -815,7 +815,7 @@ replen = revcode; collen = 0; } - while (collen > 0) + while (indexw < width && collen > 0) { x = CVAL(in); if (x & 1) @@ -835,7 +835,7 @@ indexw++; collen--; } - while (replen > 0) + while (indexw < width && replen > 0) { x = last_line[indexw * 4] + color; *out = x; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/cliprdr.c new/rdesktop-1.8.4/cliprdr.c --- old/rdesktop-1.8.3/cliprdr.c 2011-09-28 11:36:59.000000000 +0200 +++ new/rdesktop-1.8.4/cliprdr.c 2019-01-02 15:03:25.000000000 +0100 @@ -115,6 +115,7 @@ uint16 type, status; uint32 length, format; uint8 *data; + struct stream packet = *s; in_uint16_le(s, type); in_uint16_le(s, status); @@ -123,6 +124,11 @@ DEBUG_CLIPBOARD(("CLIPRDR recv: type=%d, status=%d, length=%d\n", type, status, length)); + if (!s_check_rem(s, length)) + { + rdp_protocol_error("cliprdr_process(), consume of packet from stream would overrun", &packet); + } + if (status == CLIPRDR_ERROR) { switch (type) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/configure new/rdesktop-1.8.4/configure --- old/rdesktop-1.8.3/configure 2014-10-31 12:40:13.000000000 +0100 +++ new/rdesktop-1.8.4/configure 2019-01-02 15:11:49.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for rdesktop 1.8.3. +# Generated by GNU Autoconf 2.69 for rdesktop 1.8.4. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -577,8 +577,8 @@ # Identity of this package. PACKAGE_NAME='rdesktop' PACKAGE_TARNAME='rdesktop' -PACKAGE_VERSION='1.8.3' -PACKAGE_STRING='rdesktop 1.8.3' +PACKAGE_VERSION='1.8.4' +PACKAGE_STRING='rdesktop 1.8.4' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1302,7 +1302,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures rdesktop 1.8.3 to adapt to many kinds of systems. +\`configure' configures rdesktop 1.8.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1371,7 +1371,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of rdesktop 1.8.3:";; + short | recursive ) echo "Configuration of rdesktop 1.8.4:";; esac cat <<\_ACEOF @@ -1509,7 +1509,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -rdesktop configure 1.8.3 +rdesktop configure 1.8.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2031,7 +2031,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by rdesktop $as_me 1.8.3, which was +It was created by rdesktop $as_me 1.8.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -8030,7 +8030,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by rdesktop $as_me 1.8.3, which was +This file was extended by rdesktop $as_me 1.8.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -8083,7 +8083,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -rdesktop config.status 1.8.3 +rdesktop config.status 1.8.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/configure.ac new/rdesktop-1.8.4/configure.ac --- old/rdesktop-1.8.3/configure.ac 2014-10-31 12:39:04.000000000 +0100 +++ new/rdesktop-1.8.4/configure.ac 2019-01-02 15:03:38.000000000 +0100 @@ -1,4 +1,4 @@ -AC_INIT(rdesktop, 1.8.3) +AC_INIT(rdesktop, 1.8.4) AC_CONFIG_SRCDIR([rdesktop.c]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/constants.h new/rdesktop-1.8.4/constants.h --- old/rdesktop-1.8.3/constants.h 2014-09-09 14:34:09.000000000 +0200 +++ new/rdesktop-1.8.4/constants.h 2019-01-02 15:03:25.000000000 +0100 @@ -481,6 +481,10 @@ #define FILE_DELETE_ON_CLOSE 0x00001000 #define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000 +/* [MS-RDPBCGR], TS_BITMAP_DATA, flags */ +#define BITMAP_COMPRESSION 0x0001 +#define NO_BITMAP_COMPRESSION_HDR 0x0400 + /* RDP5 disconnect PDU */ #define exDiscReasonNoInfo 0x0000 #define exDiscReasonAPIInitiatedDisconnect 0x0001 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/cssp.c new/rdesktop-1.8.4/cssp.c --- old/rdesktop-1.8.3/cssp.c 2014-08-29 12:57:24.000000000 +0200 +++ new/rdesktop-1.8.4/cssp.c 2019-01-02 15:03:25.000000000 +0100 @@ -648,6 +648,7 @@ STREAM s; int length; int tagval; + struct stream packet; s = tcp_recv(NULL, 4); @@ -673,6 +674,7 @@ // receive the remainings of message s = tcp_recv(s, length); + packet = *s; #if WITH_DEBUG_CREDSSP streamsave(s, "tsrequest_in.raw"); @@ -689,6 +691,12 @@ if (!ber_in_header(s, &tagval, &length) || tagval != (BER_TAG_CTXT_SPECIFIC | BER_TAG_CONSTRUCTED | 0)) return False; + + if (!s_check_rem(s, length)) + { + rdp_protocol_error("cssp_read_tsrequest(), consume of version from stream would overrun", + &packet); + } in_uint8s(s, length); // negoToken [1] @@ -710,7 +718,14 @@ if (!ber_in_header(s, &tagval, &length) || tagval != BER_TAG_OCTET_STRING) return False; - token->end = token->p = token->data; + if (!s_check_rem(s, length)) + { + rdp_protocol_error("cssp_read_tsrequest(), consume of token from stream would overrun", + &packet); + } + + s_realloc(token, length); + s_reset(token); out_uint8p(token, s->p, length); s_mark_end(token); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/doc/ChangeLog new/rdesktop-1.8.4/doc/ChangeLog --- old/rdesktop-1.8.3/doc/ChangeLog 2014-10-31 12:39:04.000000000 +0100 +++ new/rdesktop-1.8.4/doc/ChangeLog 2019-01-02 15:04:25.000000000 +0100 @@ -1,3 +1,32 @@ +rdesktop (1.8.4) + * Add rdp_protocol_error function that is used in several fixes + * Refactor of process_bitmap_updates + * Fix possible integer overflow in s_check_rem() on 32bit arch + * Fix memory corruption in process_bitmap_data - CVE-2018-8794 + * Fix remote code execution in process_bitmap_data - CVE-2018-8795 + * Fix remote code execution in process_plane - CVE-2018-8797 + * Fix Denial of Service in mcs_recv_connect_response - CVE-2018-20175 + * Fix Denial of Service in mcs_parse_domain_params - CVE-2018-20175 + * Fix Denial of Service in sec_parse_crypt_info - CVE-2018-20176 + * Fix Denial of Service in sec_recv - CVE-2018-20176 + * Fix minor information leak in rdpdr_process - CVE-2018-8791 + * Fix Denial of Service in cssp_read_tsrequest - CVE-2018-8792 + * Fix remote code execution in cssp_read_tsrequest - CVE-2018-8793 + * Fix Denial of Service in process_bitmap_data - CVE-2018-8796 + * Fix minor information leak in rdpsnd_process_ping - CVE-2018-8798 + * Fix Denial of Service in process_secondary_order - CVE-2018-8799 + * Fix remote code execution in in ui_clip_handle_data - CVE-2018-8800 + * Fix major information leak in ui_clip_handle_data - CVE-2018-20174 + * Fix memory corruption in rdp_in_unistr - CVE-2018-20177 + * Fix Denial of Service in process_demand_active - CVE-2018-20178 + * Fix remote code execution in lspci_process - CVE-2018-20179 + * Fix remote code execution in rdpsnddbg_process - CVE-2018-20180 + * Fix remote code execution in seamless_process - CVE-2018-20181 + * Fix remote code execution in seamless_process_line - CVE-2018-20182 + * Fix building against OpenSSL 1.1 + + -- Henrik Andersson <[email protected]> 2019-01-02 + rdesktop (1.8.3) * Added a persistent mode used with SeamlessRDP * Added US international keyboard layout with dead keys diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/lspci.c new/rdesktop-1.8.4/lspci.c --- old/rdesktop-1.8.3/lspci.c 2010-01-12 09:31:06.000000000 +0100 +++ new/rdesktop-1.8.4/lspci.c 2019-01-02 15:03:25.000000000 +0100 @@ -1,7 +1,8 @@ /* -*- c-basic-offset: 8 -*- rdesktop: A Remote Desktop Protocol client. Support for the Matrox "lspci" channel - Copyright (C) 2005 Matrox Graphics Inc. + Copyright (C) 2005 Matrox Graphics Inc. + Copyright 2018 Henrik Andersson <[email protected]> for Cendio AB This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -132,6 +133,12 @@ unsigned int pkglen; static char *rest = NULL; char *buf; + struct stream packet = *s; + + if (!s_check(s)) + { + rdp_protocol_error("lspci_process(), stream is in unstable state", &packet); + } pkglen = s->end - s->p; /* str_handle_lines requires null terminated strings */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/mcs.c new/rdesktop-1.8.4/mcs.c --- old/rdesktop-1.8.3/mcs.c 2012-11-15 12:21:01.000000000 +0100 +++ new/rdesktop-1.8.4/mcs.c 2019-01-02 15:03:25.000000000 +0100 @@ -44,9 +44,16 @@ static RD_BOOL mcs_parse_domain_params(STREAM s) { - int length; + uint32 length; + struct stream packet = *s; ber_parse_header(s, MCS_TAG_DOMAIN_PARAMS, &length); + + if (!s_check_rem(s, length)) + { + rdp_protocol_error("mcs_parse_domain_params(), consume domain params from stream would overrun", &packet); + } + in_uint8s(s, length); return s_check(s); @@ -87,13 +94,15 @@ mcs_recv_connect_response(STREAM mcs_data) { uint8 result; - int length; + uint32 length; STREAM s; - + struct stream packet; s = iso_recv(NULL); if (s == NULL) return False; + packet = *s; + ber_parse_header(s, MCS_CONNECT_RESPONSE, &length); ber_parse_header(s, BER_TAG_RESULT, &length); @@ -106,6 +115,12 @@ ber_parse_header(s, BER_TAG_INTEGER, &length); in_uint8s(s, length); /* connect id */ + + if (!s_check_rem(s, length)) + { + rdp_protocol_error("mcs_recv_connect_response(), consume connect id from stream would overrun", &packet); + } + mcs_parse_domain_params(s); ber_parse_header(s, BER_TAG_OCTET_STRING, &length); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/orders.c new/rdesktop-1.8.4/orders.c --- old/rdesktop-1.8.3/orders.c 2012-06-15 07:16:20.000000000 +0200 +++ new/rdesktop-1.8.4/orders.c 2019-01-02 15:03:25.000000000 +0100 @@ -1260,11 +1260,17 @@ uint16 flags; uint8 type; uint8 *next_order; + struct stream packet = *s; in_uint16_le(s, length); in_uint16_le(s, flags); /* used by bmpcache2 */ in_uint8(s, type); + if (!s_check_rem(s, length + 7)) + { + rdp_protocol_error("process_secondary_order(), next order pointer would overrun stream", &packet); + } + next_order = s->p + (sint16) length + 7; switch (type) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/parse.h new/rdesktop-1.8.4/parse.h --- old/rdesktop-1.8.3/parse.h 2012-11-15 12:20:24.000000000 +0100 +++ new/rdesktop-1.8.4/parse.h 2019-01-02 15:03:25.000000000 +0100 @@ -40,7 +40,7 @@ #define s_pop_layer(s,h) (s)->p = (s)->h; #define s_mark_end(s) (s)->end = (s)->p; #define s_check(s) ((s)->p <= (s)->end) -#define s_check_rem(s,n) ((s)->p + n <= (s)->end) +#define s_check_rem(s,n) (s_check(s) && (n <= (s)->end - (s)->p)) #define s_check_end(s) ((s)->p == (s)->end) #define s_length(s) ((s)->end - (s)->data) #define s_reset(s) ((s)->end = (s)->p = (s)->data) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/proto.h new/rdesktop-1.8.4/proto.h --- old/rdesktop-1.8.3/proto.h 2014-09-11 13:54:46.000000000 +0200 +++ new/rdesktop-1.8.4/proto.h 2019-01-02 15:03:25.000000000 +0100 @@ -173,6 +173,7 @@ char *directory, RD_BOOL reconnect); void rdp_reset_state(void); void rdp_disconnect(void); +void rdp_protocol_error(const char *message, STREAM s); /* rdpdr.c */ int get_device_index(RD_NTHANDLE handle); void convert_to_unix_filename(char *filename); @@ -233,7 +234,7 @@ /* asn.c */ RD_BOOL ber_in_header(STREAM s, int *tagval, int *length); void ber_out_header(STREAM s, int tagval, int length); -RD_BOOL ber_parse_header(STREAM s, int tagval, int *length); +RD_BOOL ber_parse_header(STREAM s, int tagval, uint32 *length); void ber_out_integer(STREAM s, int value); /* xclip.c */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/rdesktop.spec new/rdesktop-1.8.4/rdesktop.spec --- old/rdesktop-1.8.3/rdesktop.spec 2014-10-31 12:39:04.000000000 +0100 +++ new/rdesktop-1.8.4/rdesktop.spec 2019-01-02 15:03:38.000000000 +0100 @@ -1,6 +1,6 @@ Summary: Remote Desktop Protocol client Name: rdesktop -Version: 1.8.3 +Version: 1.8.4 Release: 1 License: GPL; see COPYING Group: Applications/Communications diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/rdp.c new/rdesktop-1.8.4/rdp.c --- old/rdesktop-1.8.3/rdp.c 2014-08-27 14:19:59.000000000 +0200 +++ new/rdesktop-1.8.4/rdp.c 2019-01-02 15:03:25.000000000 +0100 @@ -3,7 +3,7 @@ Protocol services - RDP layer Copyright (C) Matthew Chapman <matthewc.unsw.edu.au> 1999-2008 Copyright 2003-2011 Peter Astrand <[email protected]> for Cendio AB - Copyright 2011-2014 Henrik Andersson <[email protected]> for Cendio AB + Copyright 2011-2018 Henrik Andersson <[email protected]> for Cendio AB This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -270,6 +270,20 @@ *string = xmalloc(in_len * 2); *str_size = in_len * 2; + struct stream packet = *s; + + if ((in_len < 0) || ((uint32)in_len >= (RD_UINT32_MAX / 2))) + { + error("rdp_in_unistr(), length of unicode data is out of bounds."); + abort(); + } + + if (!s_check_rem(s, in_len)) + { + rdp_protocol_error("rdp_in_unistr(), consume of unicode data from stream would overrun", &packet); + } + + #ifdef HAVE_ICONV size_t ibl = in_len, obl = *str_size - 1; char *pin = (char *) s->p, *pout = *string; @@ -1084,6 +1098,7 @@ { uint8 type; uint16 len_src_descriptor, len_combined_caps; + struct stream packet = *s; /* at this point we need to ensure that we have ui created */ rd_create_ui(); @@ -1091,6 +1106,11 @@ in_uint32_le(s, g_rdp_shareid); in_uint16_le(s, len_src_descriptor); in_uint16_le(s, len_combined_caps); + + if (!s_check_rem(s, len_src_descriptor)) + { + rdp_protocol_error("rdp_demand_active(), consume of source descriptor from stream would overrun", &packet); + } in_uint8s(s, len_src_descriptor); DEBUG(("DEMAND_ACTIVE(id=0x%x)\n", g_rdp_shareid)); @@ -1238,74 +1258,122 @@ } } -/* Process bitmap updates */ -void -process_bitmap_updates(STREAM s) +/* Process TS_BITMAP_DATA */ +static void +process_bitmap_data(STREAM s) { - uint16 num_updates; uint16 left, top, right, bottom, width, height; - uint16 cx, cy, bpp, Bpp, compress, bufsize, size; + uint16 cx, cy, bpp, Bpp, flags, bufsize, size; uint8 *data, *bmpdata; - int i; - in_uint16_le(s, num_updates); + struct stream packet = *s; - for (i = 0; i < num_updates; i++) - { - in_uint16_le(s, left); - in_uint16_le(s, top); - in_uint16_le(s, right); - in_uint16_le(s, bottom); - in_uint16_le(s, width); - in_uint16_le(s, height); - in_uint16_le(s, bpp); - Bpp = (bpp + 7) / 8; - in_uint16_le(s, compress); - in_uint16_le(s, bufsize); + in_uint16_le(s, left); /* destLeft */ + in_uint16_le(s, top); /* destTop */ + in_uint16_le(s, right); /* destRight */ + in_uint16_le(s, bottom); /* destBottom */ + in_uint16_le(s, width); /* width */ + in_uint16_le(s, height); /* height */ + in_uint16_le(s, bpp); /* bitsPerPixel */ + Bpp = (bpp + 7) / 8; + in_uint16_le(s, flags); /* flags */ + in_uint16_le(s, bufsize); /* bitmapLength */ + + cx = right - left + 1; + cy = bottom - top + 1; + + /* FIXME: There are a assumtion that we do not consider in + this code. The value of bpp is not passed to + ui_paint_bitmap() which relies on g_server_bpp for drawing + the bitmap data. - cx = right - left + 1; - cy = bottom - top + 1; + Does this means that we can sanity check bpp with g_server_bpp ? + */ - DEBUG(("BITMAP_UPDATE(l=%d,t=%d,r=%d,b=%d,w=%d,h=%d,Bpp=%d,cmp=%d)\n", - left, top, right, bottom, width, height, Bpp, compress)); - if (!compress) - { - int y; - bmpdata = (uint8 *) xmalloc(width * height * Bpp); - for (y = 0; y < height; y++) - { - in_uint8a(s, &bmpdata[(height - y - 1) * (width * Bpp)], - width * Bpp); - } - ui_paint_bitmap(left, top, cx, cy, width, height, bmpdata); - xfree(bmpdata); - continue; - } + if (Bpp == 0 || width == 0 || height == 0) + { + warning("%s(), [%d,%d,%d,%d], [%d,%d], bpp=%d, flags=%x", __func__, + left, top, right, bottom, width, height, bpp, flags); + rdp_protocol_error + ("TS_BITMAP_DATA, unsafe size of bitmap data received from server", + &packet); + } + if ((RD_UINT32_MAX / Bpp) <= (width * height)) + { + warning("%s(), [%d,%d,%d,%d], [%d,%d], bpp=%d, flags=%x", __func__, + left, top, right, bottom, width, height, bpp, flags); + rdp_protocol_error + ("TS_BITMAP_DATA, unsafe size of bitmap data received from server", + &packet); + } - if (compress & 0x400) - { - size = bufsize; - } - else - { - in_uint8s(s, 2); /* pad */ - in_uint16_le(s, size); - in_uint8s(s, 4); /* line_size, final_size */ - } - in_uint8p(s, data, size); + +#if DEBUG + printf("%s(), [%d,%d,%d,%d], [%d,%d], bpp=%d, flags=%x", __func__, + left, top, right, bottom, width, height, bpp, flags); +#endif + if (flags == 0) + { + /* read uncompresssed bitmap data */ + int y; bmpdata = (uint8 *) xmalloc(width * height * Bpp); - if (bitmap_decompress(bmpdata, width, height, data, size, Bpp)) - { - ui_paint_bitmap(left, top, cx, cy, width, height, bmpdata); - } - else + for (y = 0; y < height; y++) { - DEBUG_RDP5(("Failed to decompress data\n")); + in_uint8a(s, &bmpdata[(height - y - 1) * (width * Bpp)], width * Bpp); } - + ui_paint_bitmap(left, top, cx, cy, width, height, bmpdata); xfree(bmpdata); + return; + } + + if (flags & NO_BITMAP_COMPRESSION_HDR) + { + size = bufsize; + } + else + { + /* Read TS_CD_HEADER */ + in_uint8s(s, 2); /* skip cbCompFirstRowSize (must be 0x0000) */ + in_uint16_le(s, size); /* cbCompMainBodySize */ + in_uint8s(s, 2); /* skip cbScanWidth */ + in_uint8s(s, 2); /* skip cbUncompressedSize */ + } + + /* read compressed bitmap data */ + if (!s_check_rem(s, size)) + { + rdp_protocol_error("process_bitmap_data(), consume of bitmap data from stream would overrun", &packet); + } + in_uint8p(s, data, size); + bmpdata = (uint8 *) xmalloc(width * height * Bpp); + if (bitmap_decompress(bmpdata, width, height, data, size, Bpp)) + { + ui_paint_bitmap(left, top, cx, cy, width, height, bmpdata); + } + else + { + warning("%s(), failed to decompress bitmap", __func__); + } + + xfree(bmpdata); +} + + + +/* Process TS_UPDATE_BITMAP_DATA */ +void +process_bitmap_updates(STREAM s) +{ + uint16 num_updates; + int i; + + in_uint16_le(s, num_updates); /* rectangles */ + + for (i = 0; i < num_updates; i++) + { + process_bitmap_data(s); } } @@ -1774,3 +1842,21 @@ { sec_disconnect(); } + +/* Abort rdesktop upon protocol error + + A protocol error is defined as: + + - A value is outside specified range for example; + bpp for a bitmap is not allowed to be greater than the + value 32 but is represented by a byte in protocol. + +*/ +void +rdp_protocol_error(const char *message, STREAM s) +{ + error("%s(), %s", __func__, message); + if (s) + hexdump(s->p, s_length(s)); + exit(0); +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/rdpdr.c new/rdesktop-1.8.4/rdpdr.c --- old/rdesktop-1.8.3/rdpdr.c 2014-09-11 13:54:46.000000000 +0200 +++ new/rdesktop-1.8.4/rdpdr.c 2019-01-02 15:03:25.000000000 +0100 @@ -797,6 +797,7 @@ uint16 vmin; uint16 component; uint16 pakid; + struct stream packet = *s; #if WITH_DEBUG_RDP5 printf("--- rdpdr_process ---\n"); @@ -818,8 +819,18 @@ /* DR_CORE_SERVER_ANNOUNCE_REQ */ in_uint8s(s, 2); /* skip versionMajor */ in_uint16_le(s, vmin); /* VersionMinor */ + in_uint32_le(s, g_client_id); /* ClientID */ + /* g_client_id is sent back to server, + so lets check that we actually got + valid data from stream to prevent + that we leak back data to server */ + if (!s_check(s)) + { + rdp_protocol_error("rdpdr_process(), consume of g_client_id from stream did overrun", &packet); + } + /* The RDP client is responsibility to provide a random client id if server version is < 12 */ if (vmin < 0x000c) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/rdpsnd.c new/rdesktop-1.8.4/rdpsnd.c --- old/rdesktop-1.8.3/rdpsnd.c 2014-05-13 16:34:23.000000000 +0200 +++ new/rdesktop-1.8.4/rdpsnd.c 2019-01-02 15:03:25.000000000 +0100 @@ -355,6 +355,12 @@ { uint16 tick; STREAM out; + struct stream packet = *in; + + if (!s_check_rem(in, 4)) + { + rdp_protocol_error("rdpsnd_process_training(), consume of training data from stream would overrun", &packet); + } in_uint16_le(in, tick); @@ -667,6 +673,11 @@ static char *rest = NULL; char *buf; + if (!s_check(s)) + { + rdp_protocol_error("rdpsnddbg_process(), stream is in unstable state", s); + } + pkglen = s->end - s->p; /* str_handle_lines requires null terminated strings */ buf = (char *) xmalloc(pkglen + 1); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/seamless.c new/rdesktop-1.8.4/seamless.c --- old/rdesktop-1.8.3/seamless.c 2014-09-11 08:36:25.000000000 +0200 +++ new/rdesktop-1.8.4/seamless.c 2019-01-02 15:03:25.000000000 +0100 @@ -173,6 +173,12 @@ icon_buf[len] = strtol(byte, NULL, 16); len++; + + if ((size_t)len >= sizeof(icon_buf)) + { + warning("seamless_process_line(), icon data would overrun icon_buf"); + break; + } } ui_seamless_seticon(id, tok5, width, height, chunk, icon_buf, len); @@ -375,6 +381,12 @@ { unsigned int pkglen; char *buf; + struct stream packet = *s; + + if (!s_check(s)) + { + rdp_protocol_error("seamless_process(), stream is in unstable state", &packet); + } pkglen = s->end - s->p; /* str_handle_lines requires null terminated strings */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/secure.c new/rdesktop-1.8.4/secure.c --- old/rdesktop-1.8.3/secure.c 2014-02-07 09:44:55.000000000 +0100 +++ new/rdesktop-1.8.4/secure.c 2019-01-02 15:03:25.000000000 +0100 @@ -292,6 +292,9 @@ void sec_decrypt(uint8 * data, int length) { + if (length <= 0) + return; + if (g_sec_decrypt_use_count == 4096) { sec_update(g_sec_decrypt_key, g_sec_decrypt_update_key); @@ -550,6 +553,7 @@ RDSSL_RKEY *server_public_key; uint16 tag, length; uint8 *next_tag, *end; + struct stream packet = *s; in_uint32_le(s, *rc4_key_size); /* 1 = 40-bit, 2 = 128-bit */ in_uint32_le(s, crypt_level); /* 1 = low, 2 = medium, 3 = high */ @@ -628,6 +632,13 @@ DEBUG_RDP5(("Ignored certs left: %d\n", certcount)); in_uint32_le(s, ignorelen); DEBUG_RDP5(("Ignored Certificate length is %d\n", ignorelen)); + + if (!s_check_rem(s, ignorelen)) + { + rdp_protocol_error("sec_parse_crypt_info(), consume ignored certificate from stream would overrun", + &packet); + } + ignorecert = rdssl_cert_read(s->p, ignorelen); in_uint8s(s, ignorelen); if (ignorecert == NULL) @@ -797,15 +808,21 @@ uint32 sec_flags; uint16 channel; STREAM s; + struct stream packet; while ((s = mcs_recv(&channel, rdpver)) != NULL) { + packet = *s; if (rdpver != NULL) { if (*rdpver != 3) { if (*rdpver & 0x80) { + if (!s_check_rem(s, 8)) { + rdp_protocol_error("sec_recv(), consume fastpath signature from stream would overrun", &packet); + } + in_uint8s(s, 8); /* signature */ sec_decrypt(s->p, s->end - s->p); } @@ -820,6 +837,10 @@ { if (sec_flags & SEC_ENCRYPT) { + if (!s_check_rem(s, 8)) { + rdp_protocol_error("sec_recv(), consume encrypt signature from stream would overrun", &packet); + } + in_uint8s(s, 8); /* signature */ sec_decrypt(s->p, s->end - s->p); } @@ -834,6 +855,10 @@ { uint8 swapbyte; + if (!s_check_rem(s, 8)) { + rdp_protocol_error("sec_recv(), consume redirect signature from stream would overrun", &packet); + } + in_uint8s(s, 8); /* signature */ sec_decrypt(s->p, s->end - s->p); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/ssl.c new/rdesktop-1.8.4/ssl.c --- old/rdesktop-1.8.3/ssl.c 2012-10-23 13:38:27.000000000 +0200 +++ new/rdesktop-1.8.4/ssl.c 2019-01-02 14:50:34.000000000 +0100 @@ -3,6 +3,7 @@ Secure sockets abstraction layer Copyright (C) Matthew Chapman <matthewc.unsw.edu.au> 1999-2008 Copyright (C) Jay Sorg <[email protected]> 2006-2008 + Copyright (C) Henrik Andersson <[email protected]> 2016 This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -88,7 +89,7 @@ uint8 * exponent) { BN_CTX *ctx; - BIGNUM mod, exp, x, y; + BIGNUM *mod, *exp, *x, *y; uint8 inr[SEC_MAX_MODULUS_SIZE]; int outlen; @@ -98,24 +99,24 @@ reverse(inr, len); ctx = BN_CTX_new(); - BN_init(&mod); - BN_init(&exp); - BN_init(&x); - BN_init(&y); - - BN_bin2bn(modulus, modulus_size, &mod); - BN_bin2bn(exponent, SEC_EXPONENT_SIZE, &exp); - BN_bin2bn(inr, len, &x); - BN_mod_exp(&y, &x, &exp, &mod, ctx); - outlen = BN_bn2bin(&y, out); + mod = BN_new(); + exp = BN_new(); + x = BN_new(); + y = BN_new(); + + BN_bin2bn(modulus, modulus_size, mod); + BN_bin2bn(exponent, SEC_EXPONENT_SIZE, exp); + BN_bin2bn(inr, len, x); + BN_mod_exp(y, x, exp, mod, ctx); + outlen = BN_bn2bin(y, out); reverse(out, outlen); if (outlen < (int) modulus_size) memset(out + outlen, 0, modulus_size - outlen); - BN_free(&y); - BN_clear_free(&x); - BN_free(&exp); - BN_free(&mod); + BN_free(y); + BN_clear_free(x); + BN_free(exp); + BN_free(mod); BN_CTX_free(ctx); } @@ -140,18 +141,38 @@ EVP_PKEY *epk = NULL; RDSSL_RKEY *lkey; int nid; + int ret; /* By some reason, Microsoft sets the OID of the Public RSA key to the oid for "MD5 with RSA Encryption" instead of "RSA Encryption" Kudos to Richard Levitte for the following (. intiutive .) lines of code that resets the OID and let's us extract the key. */ - nid = OBJ_obj2nid(cert->cert_info->key->algor->algorithm); + + X509_PUBKEY *key = NULL; + X509_ALGOR *algor = NULL; + + key = X509_get_X509_PUBKEY(cert); + if (key == NULL) + { + error("Failed to get public key from certificate.\n"); + return NULL; + } + + ret = X509_PUBKEY_get0_param(NULL, NULL, 0, &algor, key); + if (ret != 1) + { + error("Faild to get algorithm used for public key.\n"); + return NULL; + } + + nid = OBJ_obj2nid(algor->algorithm); + if ((nid == NID_md5WithRSAEncryption) || (nid == NID_shaWithRSAEncryption)) { DEBUG_RDP5(("Re-setting algorithm type to RSA in server certificate\n")); - ASN1_OBJECT_free(cert->cert_info->key->algor->algorithm); - cert->cert_info->key->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption); + X509_PUBKEY_set0_param(key, OBJ_nid2obj(NID_rsaEncryption), + 0, NULL, NULL, 0); } epk = X509_get_pubkey(cert); if (NULL == epk) @@ -201,14 +222,24 @@ { int len; - if ((BN_num_bytes(rkey->e) > (int) max_exp_len) || - (BN_num_bytes(rkey->n) > (int) max_mod_len)) + BIGNUM *e = NULL; + BIGNUM *n = NULL; + +#if OPENSSL_VERSION_NUMBER < 0x10100000L + e = rkey->e; + n = rkey->n; +#else + RSA_get0_key(rkey, &e, &n, NULL); +#endif + + if ((BN_num_bytes(e) > (int) max_exp_len) || + (BN_num_bytes(n) > (int) max_mod_len)) { return 1; } - len = BN_bn2bin(rkey->e, exponent); + len = BN_bn2bin(e, exponent); reverse(exponent, len); - len = BN_bn2bin(rkey->n, modulus); + len = BN_bn2bin(n, modulus); reverse(modulus, len); return 0; } @@ -229,8 +260,5 @@ rdssl_hmac_md5(const void *key, int key_len, const unsigned char *msg, int msg_len, unsigned char *md) { - HMAC_CTX ctx; - HMAC_CTX_init(&ctx); HMAC(EVP_md5(), key, key_len, msg, msg_len, md, NULL); - HMAC_CTX_cleanup(&ctx); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rdesktop-1.8.3/types.h new/rdesktop-1.8.4/types.h --- old/rdesktop-1.8.3/types.h 2014-05-20 12:43:03.000000000 +0200 +++ new/rdesktop-1.8.4/types.h 2019-01-02 15:03:25.000000000 +0100 @@ -32,6 +32,8 @@ typedef unsigned int uint32; typedef signed int sint32; +#define RD_UINT32_MAX (uint32)(-1) + typedef void *RD_HBITMAP; typedef void *RD_HGLYPH; typedef void *RD_HCOLOURMAP;
